1 / 43

Moonshot

Moonshot. Adam Bishop 1 1 th March 2013. Use Cases. Use cases. Lets dive straight in and look at some use cases: That have no current deployable federated solution, apart from Moonshot Have a user experience that can be significantly improved by Moonshot

megang
Download Presentation

Moonshot

An Image/Link below is provided (as is) to download presentation Download Policy: Content on the Website is provided to you AS IS for your information and personal use and may not be sold / licensed / shared on other websites without getting consent from its author. Content is provided to you AS IS for your information and personal use only. Download presentation by click this link. While downloading, if for some reason you are not able to download a presentation, the publisher may have deleted the file from their server. During download, if you can't get a presentation, the file might be deleted by the publisher.

E N D

Presentation Transcript

  1. Moonshot Adam Bishop 11th March 2013

  2. Use Cases

  3. Use cases Lets dive straight in and look at some use cases: • That have no current deployable federated solution, apart from Moonshot • Have a user experience that can be significantly improved by Moonshot • Have existing deployment models whose cost and effort can be reduced by Moonshot This is just a small sample, to illustrate the range of possibilities…

  4. Cancer Research UK Cancer Research UK is the world’s leading charity dedicated to beating cancer through research. The institutes form ad hoc relationships to collaborate for research purposes, but when the need arises to share data and documents, each institute can only authenticate within their own organisation. “Moonshot is a valuable enabler for Cancer Research across the UK. It will make collaboration systems easy to build internally so that we can quickly share large data sets between institutes, without complicating the management of that system.” Peter Maccallum, Head of IT & Scientific Computing, CRUK Cambridge Research Institute

  5. Moonshot and… Federated Sharing of Data Many organisationscollaborate with others, wanting to share data and documents: • E.g. Provision of access to remote file systems (SAMBA / CIFS / NFS) • Today, users’ credentials must be managed by the provider Using Moonshot, authentication happens at user’s home organisation – provider does not manage and ‘see’ the credentials

  6. Moonshot and… Cloud Services Many organisations are outsourcing services to the cloud, or delivering services in the cloud • For example: Exchange in the cloud • Today, user’s credentials must be supplied to the provider • E.g. Using directory synchronization technologies • SAML authentication an option for some, but not all, and not all clients (e.g. Microsoft Lync client) Using Moonshot, authentication happens at user’s home organisation – provider does not manage and ‘see’ the credentials

  7. e.g. Outlook connecting to hosted Exchange

  8. Diamond Light Source The UK’s national synchrotron facility Piloting Moonshot within the PANDATA project, which supports a community of 30,000 scientists from 100s of organisationsat 20+ photon and neutron facilities Federated access needed to physical consoles in person, or remotely using SSH “Moonshot has thought beyond websites, and looked at what is really required in authentication – right down to the point when you open your laptop to begin work.” Bill Pulford, Head of DASC, Diamond Light Source

  9. Moonshot and… Federated SSH Organisations with compute clusters typically: • Allow access through SSH • Have a community of users, some internal some external • Have to manage the credentials of all users Using Moonshot for SSH access: • Authentication happens at user’s home organisation – no credentials to manage at service! • Various options possible for mapping users to accounts

  10. e.g. PuTTY connecting to Linux OpenSSH

  11. Moonshot and… Federated Desktop Sign-in Some organisationswant to enable manageable desktop sign-in for external users • Seconded personnel, visitors, contracts, etc; • Or beyond – e.g. public sector desktops that should allow local government users, police users, fire users, health workers, social services users, etc Highly challenging using contemporary technology Moonshot integrates directly into Windows and Linux desktop sign-on

  12. Other tested scenarios For example… (these are tested, working examples) OpenLDAPclient  OpenLDAP server (GSS) OpenLDAP client (GSS)  Windows Active Directory (SSPI) Firefox  Apache (GSS) Internet Explorer  IIS (SSPI) MyProxy client  MyProxy server (SASL) Adium  Jabberd (SASL)

  13. Introducing Moonshot

  14. Moonshot’s Goals Lower the barriers to collaborationwithin the Janet community Reduce the cost and time tocreatenew services Drive down operational costs forboth Janet and our community

  15. How? By enabling our customers to FederateAnything& Everything, Easily By enable communities to managethemselves By unifying the disparate trusttechnologies in use today

  16. Moonshot Technology Moonshot builds on deployed, proven technology… • Strong authentication used by eduroam (EAP/RADIUS) • Strong authorisation used by UK federation (SAML) • Strong service/application integration used by many major applications (operating system security APIs) Standardisation approaching completion within the Internet Engineering Task Force (IETF) Moonshot is Janet’s open source implementation

  17. Architecture (1) Credentialing (3) Authentication (5) Attributes (6) SSH session SSH client SSH server RADIUS server (2) SSH negotiation (4) RADIUS OpenSSH used as example of application; many others also apply

  18. Moonshot’s Flexibility Moonshot enables: • Federated authentication to virtually any network-connected system, application, or service • Virtually any deployment model (centralised, distributed, cloud) • The use of almost any kind of authentication credential A unified trust & identity infrastructure, capable of satisfying virtually any security requirement

  19. Benefits of Moonshot

  20. Federate Anything & Everything, Easily Moonshot integrates with OS level security APIs (GSS-API / SSP / SASL) • Proven, deployed technology already in use by many applications within your organisation • Many applications already support Moonshot with little or no modification • (Kerberos is a well-known GSS-API mechanism)

  21. Easy to Deploy Many organisations already have the necessary infrastructure • A RADIUS server (you may have already for eduroam) • A SAML server (you may have already for the UK federation) If so • You already have the technology and skills in place

  22. Easy to Manage Communities set up and managed by the community themselves! • Saves on administrative overhead everywhere • No configuration changes required at IdP/service to support new communities • Policies can be targeted for the specific community • Easier and more intuitive for users How?

  23. Easy to Manage Community management portal • Communities create and manage themselves in the portal • Easily managed list of organisations (and/or specific users) that are a part of that community and have agreed to its policies • Services belong to particular communities • Authorisation can happen based on community membership (amongst the other “usual” things) • Community membership can be used to enable cross-organisationalauthorisation (“virtual organisations”)

  24. Deploying Moonshot - Requirements

  25. Requirements So what’s needed to “do” Moonshot? There are 3 main roles in Moonshot: • Identity Provider • Relying Party (Service) • User

  26. Requirements – Identity Provider & User At the home organisation: • An existing identity store (e.g. LDAP) • RADIUS Server • SAML Server On the user’s device: • Moonshot libraries • MSIs on Windows, RPMs/Debs on Linux, installer on Mac • A way of choosing the identity • Moonshot Identity Selector / Windows Credential Manager

  27. Requirements – Relying Party At the service: • RADIUS Server • Moonshot libraries • MSIs on Windows, RPMs/Debs on Linux, installer on Mac • Service configured to use GSS/SSP/SASL authentication

  28. Janet’s MoonshotPilot Service

  29. Moonshot Pilot Service 18 month pilot • Begins April 2013 • All technology ready and in place • Portal for managing communities available • Support available for participants Main aims: • Allows Janet to pilot the service and support offerings • Allows community to pilot Moonshot with a stable backend infrastructure and with support available Around 50 applications: • A mix of education, HPC and cloud use cases.

  30. Moonshot Pilot Service GÉANT Pilot: • Subject to approval and final details • Running at the European level, under GÉANT Goals: • Worth with partner NRENs to promote non-web SSO within eduGAIN • Multiple peered trust routers in operation for interoperability and performance testing

  31. A Quick Recap Standardised next-gen identity & trust technology Building on proven, deployed technologies Cross-platform implementation Communities manage themselves Easy to deploy and use

  32. Trust Router

  33. Important R&E trust infrastructures today Organisation • Kerberos / Windows Domains for corporate ICT services • Various Web SSO solutions using variety of hacks/technologies National/Regional • Web SSO federations, principally using SAML metadata PKI • National/European Grid Infrastructure(s) using x.509 PKI • Other x.509 PKI initiatives (e.g., GÉANT’s eduPKI) Global • Internet x.509 PKI (with TERENA enabling purchasing aggregation) • IGTF, principally using x.509 PKI • eduroam using RADIUS (and RadSec/x.509 PKI) • eduGAIN using SAML metadata PKI

  34. Some reflections on these trust infrastructures Our customers would prefer to deploy fewer technologies; and preferably just one However a single trust technology must support the policy requirements of a broad range of communities distributed across our customers; there is no “one size fits all” Today’s hierarchical organisation of R&E trust infrastructure (campus  national  regional  global) is increasing irrelevant to our customers, who need multiple trust infrastructures (not multiple technologies!) reflecting their relationships with other organisations globally

  35. Collapsing to a single trust technology Use cases spanning one or more communities Community Community Community Baseline Trust Policy

  36. Community-centric Federation Helpful to segregate communities into logical groups ‘Authentication Policy Community’ (APC) • A collection of registrations representing each customer • Common registration policy is relatively easy to define (e.g., NIST 800-64, WebTrust, etc) ‘Community of Interest’ (CoI) • A collection of these customer representations • CoIs have any kind of policy; very difficult to normalise

  37. APCs and CoI C D B E A F A B E D D C

  38. Technology requirements Efficient & robust Significant scalability • Janet’s target use cases imply 100Ks of RPs Support for numerous and diverse communities • These will be organised arbitrarily, across many organisational and national boundaries Integration with diverse use cases & applications One trust technology, supporting multiple trust infrastructures, for any use case

  39. Janet’s Trust Router The final major output of Project Moonshot: https://community.ja.net/groups/moonshot A next generation trust infrastructure for ABFAB-based federated identity systems Implements draft-mrw-abfab-trust-router Functional Specification: https://community.ja.net/groups/moonshot/documents/draft-trust-router-specification

  40. Terminology Trust Link – asserts that one Trust Router is willing and able to forward Trust Path Requests to another TR or AAA Server Trust Path – set of Trust Links that can be used by a specific Relying Party to reach an AAA Server in the domain of a specific Identity Provider A(T)->B(T) – a Trust Link between two Trust Routers for realms A and B

  41. Trust Router Protocol 2 6 4 5 3 1 3(T)->C(A) 2(T) ->3(T) 3(T)->C(A) 2(T)->5(T) 5(T)->6(T) 6(T)->F(A) Realm C AAA 5(T)->6(T) 6(T)->F(A) 4(T)->5(T) 5(T)->6(T) 6(T)->F(A) 5(T)->6(T) 5(T)->F(A) 6(T)->F(A) Realm F AAA

  42. Further Information Moonshot Community website: • https://community.ja.net/groups/moonshotSoftware: • https://community.ja.net/groups/moonshot/article/moonshot-dvd-image-and-code-update • https://community.ja.net/groups/moonshot/article/moonshot-pilot-release-1-dvd Standards: • https://tools.ietf.org/wg/abfab

More Related